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We present a practical quantum protocol that allows a user to retrieve information from a database 
while protecting the privacy of the user (i.e. limiting the database's knowledge of what information is 
retrieved) as well as the privacy of the database (i.e. limiting the amount of information the user can 
retrieve). This functionality is similar to the cryptographic primitive l-out-of-A^ oblivious transfer, 
which has been well studied in the context of classical information theory. While it has been shown 
that quantum protocols cannot provide perfect privacy against an arbitrarily powerful quantum 
computer, they are not vulnerable to improvements in classical computing technology or algorithms. 
Here we show an experimental demonstration of our new protocol over a deployed fiber channel, and 
present an analysis showing that our protocol is secure against simple quantum attacks. This makes 
private queries the second application of quantum communication (after quantum key distribution) 
that has been demonstrated in a real- world environment, meeting both the requirements of loss- 
and fault-tolerance. 
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Uncertainty in quantum mechanics can be used to 
provide security in cryptographic applications, allowing 
quantum cryptographic protocols to relax the typical as- 
sumptions required for security (e.g. an adversary with 
limited computational power), or even avoid them al- 
together. The use of quantum information has proven 
extremely successful for key distribution, where quan- 
tum key distribution (QKD) can allow two parties 
to communicate over a public channel with information 
theoretic security (i.e. security against an adversary with 
arbitrarily powerful computational capability, including 
quantum computers). On the other hand, the security 
of commonly-used public-key distribution protocols 
6], which use only classical information, relics on the 
complexity of certain mathematical problems. The ap- 
plication of quantum information theory to other cryp- 
tographic tasks is an interesting topic both because of 
the insight offered into capabilities of quantum versus 
classical information coding, and because of the possibil- 
ity of developing new practical cryptographic protocols 
with improved security. Indeed, there are various propos- 
als and experimental demonstrations of quantum cryp- 
tographic primitives such as secret sharing 0, H| , coin- 
flipping m.l9l-fl6| . bit commitment [l7 , 18 1 , and oblivious 
transfer (OT) [18l422j . However, of these protocols, only 
the bit commitment and OT protocols of ref. [17|, [l8j 
are simultaneously loss- and noise-tolerant, and thus are 
candidates for real- world implementation. 

This article focuses on the problem of private queries, 
which refers to a class of protocols that either implement 
1-out-of-iV OT, or implement functionality similar to 1- 
out-of-TV OT (the difference in functionality depends on 
the specific protocol). 1-out-of-JV oblivious transfer al- 
lows a user, Ursula, to retrieve a single clement from 



an iV-element database without the database provider, 
Dave, learning which element was retrieved. (Note that 
while Ursula and Dave wish to cooperate in order to suc- 
cessfully perform this query, they are also adversaries in 
that they can attempt to learn information that the other 
party wishes to keep secret.) This functionality can be 
useful if the database spends significant effort gathering 
and analyzing data (e.g. to make recommendations to 
investors) and the user wishes to purchase information 
privately from Dave [IJ. (Note that, e.g. Dave knowing 
about interest from a large investor could affect his rec- 
ommendations to other clients and/or influence the stock 
price.) Furthermore, interest in this topic also stems from 
the fact that OT has been shown to be a building block 
for other cryptographic primitives, such as secure two- 
party computation [23[ . As such, OT has been well stud- 
ied in classical information theory 2J-|26|. 



As with QKD, quantum protocols allow OT to be se- 
cure under less stringent assumptions than their classical 
counterparts. In particular it allows security against ar- 
bitrarily powerful classical computers. However, unlike 
QKD, it has been shown that information theoretic secu- 
rity against an arbitrarily powerful quantum adversary is 
impossible for a quantum OT protocol. In ref. |27j , it was 
shown that, assuming a universal quantum computer, the 
requirements for ideal OT, (a) that Ursula is able to re- 
trieve exactly one element, and (b) that Dave cannot 
gain any information about which element was retrieved, 
imply that Ursula can then access every element of the 
database. However, this does not mean that a practical 
protocol cannot exist. In practice, it may not be neces- 
sary to have ideal OT — that is conditions (a) and/or (b) 
may be relaxed, which could then lead to security against 
a universal quantum computer. Furthermore, reasonable 
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assumptions about the computational capabilities of the 
dishonest party may be acceptable. Indeed, classical OT 
protocols also rely on one of two assumptions — that at 
least some fraction of the intermediaries used to perform 
the query are trustworthy 25, litSj . or that the adver- 
sary has limited classical computational resources (24|. 
It remains an interesting question as to whether a non- 
ideal quantum OT protocol can offer a practical level of 
privacy, and under what assumptions about Ursula and 
Dave's technological capabilities a given level of privacy 
can be achieved. 

Several quantum protocols for private queries have 
been proposed recently that explore the possibilities of- 
fered by making use of quantum information. Ref. (l9| 
proposed a private query protocol that does not satisfy 
condition (b) above, since it allowed a dishonest Dave 
to gain complete information about which element Ur- 
sula retrieved. However, the protocol still offers security 
for Ursula as she has, in principle, the potential to detect 
Dave's attempt to gain information about her query, thus 
discouraging Dave from cheating (this type of security is 
referred to as cheat sensitivity). Note that condition (a) 
was also not satisfied, as a dishonest user could sacrifice 
her ability to verify Dave's honesty in order to obtain a 
second element (although, this is not a significant loss of 
privacy for the database if TV is large). An experimen- 
tal proof-of-principle demonstration of this protocol was 
subsequently performed (2pj . however, as Dave could hide 
his attempts to cheat if there was significant transmission 
loss and/or errors in the quantum channel, the protocol 
is not practical under realistic conditions. Ref. 2l( pro- 
posed a probabilistic n-out-of-TV OT protocol based on 
the SARG04 Quantum Key Distribution (QKD) proto- 
col (28|. This protocol allows Dave to gain information 
about Ursula's query, but only at the risk of introducing 
errors into the element Ursula retrieved, thereby allowing 
a dishonest database to be detected (hence, the protocol 
is cheat sensitive) . The protocol also did not satisfy con- 
dition (a) above as Ursula gains probabilistic information 
about elements of the database she does not request. In- 
teresting features of this protocol are the ability to toler- 
ate loss in the channel, as well as the fact that it is simple 
to implement using existing QKD technology. However, 
noisy channels were left as an open question, preventing 
implementation of the protocol in realistic scenarios. The 
protocol we propose in this work is based on the proto- 
col of ref. 21 1 and its generalization [22| , and retains the 
advantages of those works while additionally addressing 
the remaining obstacle for a real-world implementation 
by including an error correction procedure. Interestingly, 
the error correction procedure also provides additional 
opportunities for Ursula to verify Dave's honesty, thus 
enhancing the cheat sensitive property of the protocol. 

Let us note that Konig, Wehner, and Wullschleger f5~sj ] 
proposed a quantum protocol for l-out-of-2 OT using a 
noisy storage model, where perfect security is achieved 



under the assumption that the dishonest party has im- 
perfect quantum devices (i.e. quantum memories) which 
introduce increasing amounts of noise into the stored 
quantum states over time (this is assumption is one way 
to preclude the universal quantum computer required by 
the proof [27| that ideal OT was not possible). An ex- 
perimental demonstration of this work has also recently 
been performed [29j]. 



RESULTS 



A loss- and fault-tolerant private query protocol 



As in ref. [2l|, l22[ , the goal of our protocol is to facili- 
tate a private query on an TV- bit database using an TV-bit 
oblivious key (for simplicity, we consider each element of 
the database to be a single bit). The oblivious key is a 
string of random bits known in its entirety to Dave, but 
not to Ursula. To achieve ideal 1-out-of-TV OT, Ursula 
must know a single bit of the oblivious key, whose posi- 
tion is unknown to Dave. Here we implement probabilis- 
tic n-out-of-TV OT. In this case, Ursula will, on average, 
know the value of n bits (where n is small) with high con- 
fidence (for brevity, we often simply describe such bits as 
being known to Ursula). She will also have probabilistic 
knowledge of other bits of the oblivious key (i.e. she can 
guess their value with better than 50% probability) . The 
locations of the bits Ursula knows arc distributed in ran- 
dom positions throughout the key which are unknown to 
Dave. At the end of the protocol, Ursula's probabilistic 
knowledge of the oblivious key is mapped to her knowl- 
edge of the database, thus the protocol does not satisfy 
condition (a) of ideal OT. Condition (b) of ideal OT is 
also not satisfied, as we retain the property that Dave 
can gain information about Ursula's query at the cost of 
introducing errors 2l|, l22j . A list of possibly pessimistic 
assumptions under which the protocol is secure is given 
in the Supplementary Information. The honest proto- 
col for the private query is as follows (see Figure [1] for a 
graphical representation of the protocol) : 

1. Dave generates two long strings of classical bits uni- 
formly at random, and records their values. Each 
string should be « ^j- bits in length, where k is 
a parameter determined by the previously agreed 
upon error correction procedure (to be discussed 
later), TV is the length of the database, and t is the 
transmission of the link between Ursula and Dave. 

2. Dave uses each pair of classical bits generated above 
to choose a quantum state from a set of four pre- 
viously agreed upon non-orthogonal states (shown 
in Figure [TJ note that these are not the standard 
BB84 states), and prepares qubits accordingly. A 
random bit from the first string determines whether 
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FIG. 1. Graphical representation of the private query protocol. The steps indicated on the left margin correspond to the steps 
described in the text. 



the state is prepared in the 0-basis (spanned by 
\tpo) an d |0o)) or the 1-basis (spanned by and 
|</f>i)), and the corresponding random bit in the sec- 
ond string determines whether the tp or <f> state in 
each basis is chosen. The first random string forms 
Dave's raw key, for which the bit values correspond 



to the bases in which he prepared the qubits. 

3. Dave sends the qubits encoded into single photons 
to Ursula using a possibly lossy and noisy quantum 
channel. 

4. Ursula makes projection measurements using either 
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the 0- or 1-basis, chosen uniformly at random, and 
records the measurement bases and the results. Ur- 
sula publicly announces the cases in which she de- 
tected a photon, and Ursula and Dave both discard 
all the events where Ursula failed to detect the pho- 
ton. Note that the ability for Ursula to select bits 
to discard does not allow her to gain any advantage 
as she does not have any information from Dave at 
this point of the protocol. The protocol proceeds to 
the next step once Ursula has succeeded in detect- 
ing kN photons, and the corresponding kN bits 
that Dave keeps from his raw key form his sifted 
key. 

5. Dave publicly announces his second string of ran- 
dom bits (used to select whether he encoded the 
qubits into a "0 or state), which, combined with 
knowledge from Ursula's measurements (and, for 
the moment, assuming a noiseless channel), al- 
lows her to conclusively identify whether the state 
was encoded in the 0- or 1-basis with probability 

Pc = Sln 2 ■ Note that when Ursula's measure- 
ments yielded inconclusive results, which occurs 
with probability p; = 1 — p c , she gains probabilis- 
tic information about the basis. This information 
can be quantified by the probability that she incor- 
rectly identifies the basis, e; = ^"^Jf/L . A noisy 
channel will affect the probabilities p c , pi, and ei, 
as well as result in a non-zero error rate for conclu- 
sive measurements, denoted e c . Like Dave, Ursula 
associates classical bit values to the quantum states 
based on the basis, and forms her sifted key using 
the most likely values of the bits given her mea- 
surement results. Note that Ursula can abort the 
protocol if her results indicate that Dave's choice of 
quantum states deviates significantly from uniform. 

6. Dave divides his sifted key into N fc-bit blocks, and 
computes each bit of his oblivious key as the par- 
ity of the k bits in each block (the parity is if an 
even number of the k bits is 1, and 1 otherwise). 
He publicly announces which bits form each block. 
In addition, according to a previously agreed upon 
error-correcting code, he also sends the parities of 
several subsets of the k bits to Ursula. Using this 
information, along with her sifted key and knowl- 
edge of whether the measurements were conclusive 
or inconclusive, Ursula computes the most likely 
value of each oblivious key bit, as well as the prob- 
ability that this value is incorrect, denoted ek- The 
error-correcting code is selected such that Ursula 
will only have a high confidence (or low ek) inn bits 
on average, where n is typically a few bits. Note 
that the probabilistic nature of the protocol implies 
that Ursula may not learn any bits of the oblivious 
key, in which case the protocol must be restarted. 



Selecting n to be a few bits ensures that the prob- 
ability for Ursula to not know any bits is very low, 
and allows Dave to abort the protocol after a small 
number of declared failures by Ursula. This pre- 
vents her from repeatedly declaring failure until she 
obtains a very favorable result (i.e. many known 
bits) before proceeding with the protocol [21| . Fur- 
thermore, as discussed in detail in the Supplemen- 
tary Information, the errors introduced by a dis- 
honest Dave may cause him to send classical in- 
formation for error correction that is inconsistent 
with Ursula's measurements, in which case Ursula 
aborts the protocol. Note that at this point, Ur- 
sula has not revealed any information other than 
announcing which photons were detected. 

7. Ursula selects a shift value that aligns one of the 
bits she knows in the oblivious key to the bit in 
the database that she wants to know. She com- 
municates this shift value classically to Dave, who 
applies the shift to his oblivious key, and then 
uses it to encrypt the database using the one-time- 
pad [3(|. He then sends the encrypted database 
to Ursula, who can only decrypt the bits for which 
she knows the corresponding oblivious key bit. If 
Ursula knows multiple bits of the oblivious key she 
will learn multiple bits of the database. However, 
the shift only allows her to select the location of 
a single bit of the database, with the remaining 
learned bits distributed randomly. 



Error-correcting codes for private queries 

Our error correction procedure (see Supplementary 
Information for a full description) is inspired by syn- 
drome deco ding of error-correcting codes such as Ham- 
ming codes [3l[, which can operate on a few bits at a 
time. However, it is important to note that the context 
of private queries creates unique requirements. First, as 
mentioned above, the goal of our error correction algo- 
rithm is to recover the value of the fc-bit parity, and not 
the individual values of the fc bits as would typically be 
the case for error correction. Second, the goal in design- 
ing the error-correcting code is not to simply maximize 
the probability of successful decoding (i.e. obtaining a 
sufficiently low value of ek). Rather, a specific success 
probability is desired in order to ensure that Ursula only 
learns a few bits of the oblivious key. Furthermore, to 
prevent Ursula from learning a large amount of proba- 
bilistic information about the remaining bits of the key, 
it is desirable to keep ek as high as possible in those 
cases where decoding does not succeed. Third, the input 
bits can be divided into those with low error rate (con- 
clusive measurements), and those with very high error 
rate (inconclusive measurements). We note that it is the 



interaction of this latter property with the short block 
lengths used that allows uncertainty to be maintained 
after error correction, thereby limiting the amount of in- 
formation that Ursula learns about the database. These 
unique requirements make it necessary to construct error- 
correcting codes specifically for private queries, rather 
than using those designed for classical communications 
or QKD. 

In order to quickly evaluate error-correcting codes, we 
define two thresholds, t\j and 4d- When ek < tjj, Ur- 
sula considers the oblivious key bit to be known. When 
ek < £d> Dave considers Ursula to have significant par- 
tial information about that bit. These thresholds should 
be selected based on the requirements of the application. 
In this work, we use t\j = 10~ 3 and £d = |- in order 
to reduce the probability of error in Ursula's oblivious 
key bit below her threshold (i.e. ek < t\j), the error 
correction process must sufficiently reduce ek when her 
quantum measurements succeeded in obtaining a large 
amount of information about the k bits (e.g. when most 
or all measurements were conclusive). However, the error 
correction will also reduce ek in the cases where several 
measurements were inconclusive. Hence, the error rate 
for inconclusive measurements, e\, is of particular impor- 
tance to the fraction of bits where ek < £d ■ With this in 
mind, a smaller angle between states (characterized by 9 
as shown in Figure U) has, in addition to those benefits 
noted in ref. [22j (i.e. reduced quantum communication, 
improved database security, and better control over the 
number of bits Ursula learns), the benefit of reducing 
the partial information from inconclusive measurements. 
However, there is a trade-off between these benefits and 
the fact that the error rate for conclusive measurements 
is also increased due to a reduced signal-to-noise ratio, 
making it more difficult to achieve ek < t\j. A detailed 
description of the selection of our error-correcting codes 
is given in the Supplementary Information. 

Experimental and simulated performance of our 
protocol 

We performed an experimental demonstration of pri- 
vate queries over a 12.4 km fiber link between the Univer- 
sity of Calgar y an d SAIT Polytechnic, using our BB84 [l[ 
QKD system [32j (with a small modification to the hard- 
ware to set 6 = 35.6° ± 0.49° — all other differences 
between our protocol and BB84 QKD arc in the classi- 
cal post-processing). Our experimental setup is shown 
in Figure (see ref. [32| for a detailed description). 
Note that our demonstration uses weak coherent pulses 
rather than single photons, and hence database privacy 
requires the assumption that Ursula is not able to exploit 
pulses containing multiple photons (adapting the proto- 
col for weak coherent pulses, e.g. using decoy states as in 
QKD [33T - [35j ] . remains an open question, and we discuss 



5 




FIG. 2. Diagram of the experimental setup. The database 
(Dave) uses a computer and field-programmable gate-array 
(FPGA) to control the generation of polarization qubits via 
an attenuated laser diode (LD1 and ATT) and polarization 
modular (PM). Quantum frames [32] (sequences of strong 
light for timing and stabilization) are generated by a second 
laser diode (LD2) and merged using a polarizing beam-splitter 
(PBS). Light is transmitted from Dave to Ursula through a 
12.4 km dark fiber link with 4.5 dB loss between SAIT Poly- 
technic and the University of Calgary. Ursula splits off 10% 
of the incoming light (90/10 BS) to a photodiode (PD) used 
to detect the quantum frames. The 50/50 BS is used to pas- 
sively select a random measurement basis. The apparatus for 
each basis consists of a polarization controller (PC), a PBS, 
and two single photon detectors (SPD) to make the projec- 
tion measurement. Upon detecting a quantum frame, Ursula's 
FPGA triggers the SPDs and initiates data collection by the 
computer, or polarization compensation, as appropriate. 



some possibilities in the Supplementary Information). 
We consider a database size of TV = 10 6 and, based on 
measured error rates for our system, an error-correcting 
code with k = 10 was selected, thus requiring 10 7 mea- 
sured qubits per query. Note that we did not consider 
k > 10 due to computational constraints when searching 
for the best possible construction of the error-correcting 
code. A total of 11 queries was performed using a mean 
number of photons per pulse of /i = 0.95 ± 0.047 to show 
that the protocol can function at the single photon level. 
In this setting, our system took approximately 4.5 hours 
to accumulate the 10 7 bits of data needed for one pri- 
vate query. In order to quickly collect statistics, we re- 
peated the experiment with mean number of photons per 
pulse increased to fi — 9.5 ±0.47, performing 104 queries. 
While the multi-photon emissions at this [i are likely to 
compromise the security of the protocol if Ursula moni- 
tors the pulses outside Dave's laboratory, fair data collec- 
tion is ensured by the fact that this value corresponds to 
~ 0.95 photons per pulse at the detectors. The measured 
parameters that determine the performance of the pro- 
tocol are shown in Table U (note that the experimentally 
measured parameters at both mean photon numbers are 
the same to within one standard deviation), along with 
parameters for a theoretical simulation of what could be 
achieved using state-of-the-art detectors [H, [37} ■ These 
detectors allow for significantly reduced noise as they fea- 
ture low dark count rates (« 100 Hz), and, in the case 
of ref. [3(|, detection efficiencies up to 93%. With the 
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improved signal-to-noise ratio, we select the parameters 
of the protocol to be 8 = 25° and k — 9. 



TABLE I. Parameters for the private query protocol as mea- 
sured in our experiment with standard detectors, and simu- 
lated for low-noise detectors. The value of 6 (including stan- 
dard deviation) is measured using classical light. For the 
probabilities of conclusive measurements, p c , and error rates 
for conclusive and inconclusive measurements, e c and ei, the 
standard error expected based on Poissonian counting statis- 
tics for the 10 7 bits in each query is negligible compared to 
the observed variations across the queries performed. The ob- 
served standard deviations are attributed to time-varying er- 
ror in the alignment of the measurement bases at the receiver 
as a result of channel instability. Note that the measurement 
results for the /i = 9.5 ± 0.47 case show more variation in the 
parameters than for the fj, — 0.95 ± 0.047 case due to short- 
term fluctuations that are averaged out by the long data col- 
lection time needed to acquire the 10 7 bits per query in the 
fM = 0.95 ± 0.47 case. 





standard detectors 


low-noise detectors 


/i (photons) 


0.95 ± 0.047 


9.5 ±0.47 
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35.6 ±0.49 


35.6 ±0.49 
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Pc (%) 


16.1 ±0.29 


16.1 ±0.93 


9.22 


e c (%) 


4.4 ±0.59 


4.6 ±0.38 


1.91 


e, (%) 


41.24 ±0.08 


41.3 ±0.64 


45.12 


k (bits) 


10 
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The experimental and simulated results for these codes 
are shown in Table [TT1 The simulated results correspond- 
ing to our experiment are derived from Monte Carlo sim- 
ulations taking into account the variation in the param- 
eters shown in Table HI Figure [3] compares the distribu- 
tion of the results over the 104 queries performed in the 
/x = 9.5 ± 0.47 case with the simulation results, show- 
ing good agreement between the two. Note that in both 
experimental cases, no errors were observed in the bits 
learned by Ursula (i.e. where ek < 10~ 3 ), with a total of 
45 bits learned in 11 queries when /i = 0.95 ± 0.047 and 
405 bits learned in 104 queries when /i = 9.5 ± 0.47. 

In addition, our simulation results show that the pri- 
mary obstacle to improving database security in the pro- 
tocol is noise in the system, which can be greatly reduced 
by state-of-the-art single photon detectors. These detec- 
tors can also improve the rate at which queries can be 
performed by almost an order of magnitude because of 
their higher detection efficiencies. Further improvement 
of this rate is straightforward, as QKD systems can easily 
be adapted to perform this protocol. A state-of-the-art 
BB84 QKD system has shown that data can be accumu- 
lated at a rate of 10 6 to 10 7 bits per second, depending on 
the distance between Ursula and Dave [38[. For the pa- 
rameters in our experimental demonstration, this would 
allow one private query to be performed every few sec- 
onds. The amount of data required can also be reduced 
by repeating a short oblivious key over a longer database 
and then applying a shift as before to allow Ursula to 
select the desired bit. This would allow queries to be 



performed more often, or equivalently, allow queries to 
be performed on a larger database in the same amount 
of time. However, this comes at the expense of database 
security, as the user is able to learn additional bits for 
each repetition of the key (though not in locations of her 
choice, as only a single shift value is communicated). We 
also note that a modification to the protocol of ref. [2l[ 
has recently been proposed that reduces the amount of 
quantum communication required [39| , however applying 
this modification to our protocol is not straightforward. 



Cheating strategies 

It is important to consider potential cheating strategies 
in view of error correction (a more detailed discussion 
can be found in the Supplementary Information). We 
considered the attacks on individual qubits discussed in 
ref. 



2ll . l22j , and found that they are made less powerful 
by error correction. First, for a dishonest database, it was 
shown that Dave can send false quantum states in order 
to manipulate Ursula's probabilities for conclusive and 
inconclusive measurements, p c and p- u giving him knowl- 
edge _of Ursula's query at the expense of introducing er- 
With error correction, this attack only succeeds 
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rors 

if the error correction is successful despite the additional 
errors introduced. Furthermore, Ursula can abort the 
protocol if, in the process of error correction, she de- 
tects an abnormal error rate (i.e. one that is inconsistent 
with the agreed upon error correcting code and success 
probability of the protocol) that was caused by the at- 
tack. Second, for a dishonest user, it was shown that 
Ursula could perform an unambiguous state discrimina- 
tion (USD) measurement 4(3, 41 1 in order to slightly im- 
prove her probability of conclusive measurements, which 
allows her to learn a few additional bits of the oblivious 
key 2l|. However, this comes at the expense of gaining 
no information about the bit value (i.e. e; = 0.5) when 
the USD measurement gives inconclusive results. While 
this probabilistic information was not previously consid- 
ered useful 2l|, l22j , it is an important input to the error 
correction process. Thus, the effectiveness of this attack 
is reduced in the presence of error correction, and our 
analysis in the Supplementary Information shows that in 
some cases performing a USD measurement actually re- 
duces the number of bits of the oblivious key that Ursula 
learns as compared to the honest measurements. Note 
that only individual USD measurements have been con- 
sidered, and collective attacks (e.g. an optimized joint 
USD measurement on the k qubits that form each obliv- 
ious key bit) remain an open question. 

In addition to the previously studied attacks, we also 
consider that Ursula and Dave are adversarial in nature 
in the protocol, and thus may not cooperate when esti- 
mating the error rate in order to select an appropriate 
error-correcting code. An error-correcting code that is 
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TABLE II. Experimental and simulated results for the quantum private queries. The following figures of merit are used: the 
average number of bits learned by the user per query, n, the average proportion of the database where the user has significant 
partial information (i.e. ey < to), fh, and the failure probability (i.e. that the user learns zero bits), Po- 





H = 0.95 ± 0.047 


,u = 9.5 ± 0.47 


low-noise 


experimental 


simulated 


experimental 


simulated 


simulated 


n (bits) 
m (%) 
Po (%) 


4.1 ± 2.4 
6.1 ±0.25 
9.1 ±9.1 


3.2 ± 1.1 
6.1 ±0.25 
8.8 


3.9 ±3.1 
6.3 ±1.4 
8.7 ±2.9 


3.5 ±1.9 
6.3 ± 1.3 
9.4 


4.35 
0.96 
1.29 




FIG. 3. Histograms for the information gained by the user in the 104 queries performed in the fi = 9.5 ± 0.47 case, a) The 
number of bits learned by the user, b) The percentage of the database of which the user learns significant partial information. 
In both figures error bars for the experimental results represent one standard deviation assuming Poissonian counting statistics, 
and the blue crosses show the expected distribution obtained from Monte Carlo simulations. 



not well suited to the actual error rate in the system will 
either result in Ursula learning too few or too many bits 
of the oblivious key, but does not impact user security. 
Hence the database does not have any motivation to fal- 
sify the error rate, but the user would like the database to 
think the error rate is larger than it is in reality, leading 
to the selection of an error-correcting code that gives her 
more information. In our analysis (detailed in the Sup- 
plementary Information), we find that Dave can ensure 
that he has a reasonable level of security by determining 
the error rate of devices under his control (potentially by 
intentionally introducing noise) and selecting an error- 
correcting code accordingly. In addition, even if Ursula's 
devices introduce some additional error that Dave does 
not account for in his security analysis, the protocol is 
still successful for her. 

Note that the ability to adjust the number of bits Ur- 
sula learns about the oblivious key through the selection 
of an appropriate error-correcting code is a useful feature 
for the future development of the protocol. As the secu- 
rity of the protocol against arbitrary quantum attacks 
remains an open question, it is conceivable that Ursula 
can make measurements which give her more informa- 
tion about the quantum states sent by Dave than has 
been considered in this work. However, if such measure- 
ments arc simple to implement, they can be adopted as 



the procedure for a honest user provided that the error- 
correcting code can be adjusted to account for the im- 
proved information gain. 



DISCUSSION 



We have shown that error correction can be integrated 
into the private query protocol proposed in ref. [2l| and 
generalized in ref. [22j, which has allowed us to perform, 
for the first time, a quantum protocol for private queries 
in a real-world setting. We have re-examined the individ- 
ual attacks discussed in ref. [21 , 22 1 , and found that er- 
ror correction presents additional complications for these 
cheating strategies. Error rate estimation between ad- 
versarial parties is not an issue in this protocol since 
database security can be guaranteed by the errors intro- 
duced by Dave's devices, and the user is able to tolerate 
additional error in the system. Quantum protocols for 
private queries have thus been shown to be possible in 
practice, and present an interesting alternative compared 
to non-quantum OT schemes. 



8 



ACKNOWLEDGEMENTS nical support, SAIT Polytechnic for providing laboratory 

space, and acknowledge funding by NSERC, Quantum- 
The authors thank M. Jakobi, M.V. Panduranga Rao Works, General Dynamics Canada, iCORE (now part of 
and C. Erven for useful discussions, V. Kiselyov for tech- AITF), AITF, CFI, and AAET. 

SUPPLEMENTARY INFORMATION 

QUANTUM STATE IDENTIFICATION 

In our protocol, the database provider, Dave, encodes each qubit into one of four randomly chosen quantum states, 
IV'o)) IV'i); I0o) or \4>i), as shown in Figurc[4] The user, Ursula, measures each qubit in either the 0-basis, spanned by 
\ipo) and \4>o), or the 1-basis, spanned by |?/>i) and \4>i}- After these measurements, Dave tells Ursula whether each 
qubit was encoded into one of the ip states or one of the <f> states. In order to demonstrate the state identification 
process, suppose Ursula measured in the 0-basis, and Dave declares that he sent one of the ip states. If Ursula's 
measurement result was |</>o)j she knows Dave could not have sent |-0o) as these two states are orthogonal. Hence 
Dave must have sent \ipi). This is a conclusive result, and occurs with probability p c = s,n ^ . Alternatively, if 
Ursula's measurement result was \i(>o), she only knows that the state was more likely to have been \ip ) than 
This is an inconclusive result, occuring with probability pi = 1 — p c . As the two potential states are associated with 
different classical bit values (as indicated by the subscripts), Ursula only gains probabilistic knowledge from this 
measurement result. This corresponds to an error rate of e; = ^"Mf^ in the ideal case (i.e. when no other sources 
of error are present). 




FIG. 4. Quantum states used in the private query protocol shown on a plane of the Bloch sphere. 



ERROR CORRECTION 

We use a parity-based forward error-correcting code operating on fc-bit blocks (corresponding to the k bits used 
to compute one oblivious key bit), where Dave sends the parity of several subsets of the k bits to Ursula. The 
construction of the code is normally described as a parity check matrix, denoted H, and is known to both Ursula and 
Dave. The parity computation for the j th oblivious key bit is then given by: 

Pj = Udj (mod 2) (1) 

where pj is a vector of computed parity bits (which Dave sends to Ursula) and dj is a vector containing the k bits that 
Dave uses to compute a single oblivious key bit. For each oblivious key bit, Ursula has a corresponding fc-bit vector, 
Uj, where each bit stems from a conclusive or an inconclusive measurement that have, respectively, error rates of e c 
and ei. Ursula can estimate these error rates over the entire protocol by comparing the parities, pj, she receives from 
Dave and the parities she computes locally using Uj. Using these error rates, Ursula's error correction procedure for 
each oblivious key bit is as follows: 
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1 . Rule out those combinations of values for the k bits that are not consistent with the values for pj received from 
Dave. 

2. Divide the remaining possibilities into two sets — those that correspond to an oblivious key bit of 0, and of 1. 

3. Based on the measurement results and estimated error rates, calculate the probability that each combination of 
values for the k bits is correct. The set with the higher total probability determines the most likely value of the 
oblivious key bit. 

4. Compute the probability of error in the oblivious key bit, ek- 

Note that Ursula can significantly reduce the computation required for error correction by only performing this 
procedure when almost all of the k bits were measured conclusively. In doing so, she only performs error correction 
when there is a possibility that the result will satisfy ek < t\j. 
The error correcting codes used in this work are given by: 
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(3) 



for 9 = 25°. 



ASSUMPTIONS REQUIRED FOR SECURITY 

The results for honest parties presented in the main text and for the cheating strategies discussed the following 
section rely on several assumptions. These assumptions are that: 

1. Quantum theory is correct and complete. 

2. Ursula's and Dave's laboratories are secure (i.e. no information leaves their laboratories except for as specified 
in the protocol). 

3. The dishonest party has limited quantum technological capabilities. At the fundamental level, some amount 
of security is guaranteed by the no-signaling theorem (protecting the user's security) and the impossibility to 



perfectly distinguish between non-orthogonal quantum states (protecting the database's security) 21 1. The 
experimental results presented in Table 2 and Figure 3 of the main text are valid assuming an arbitrarily 
powerful classical computer, and in the following section we discuss simulations showing the effect of several 
quantum attacks on those results (as well as the technological requirements for those attacks). It remains an 
open question as to what specific technological assumptions, if any, are required to achieve a sufficient level of 
security. In addition, we note that the error-correcting code in our protocol can be selected in order to provide 
less information to Ursula in order to compensate for an increased information gain from more powerful quantum 
measurements. Thus, it may be possible to adopt such measurements as the legitimate procedure for the user, 
provided that the measurements arc feasible technologically. 

4. In our experimental demonstration, it is also necessary to assume that the user is not able to take advantage 
of multi-photon pulses that result from using a source of weak coherent pulses. While this assumption can be 
avoided if Dave uses a single photon source, the implementation of weak coherent pulses is much simpler from 
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a technological perspective. Thus, it is desirable for the protocol to be secure for weak coherent pulses without 
the need for additional assumptions. The decoy state techniques used in QKD [33 - 35 1 provide security against 
an adversary capable of exploiting multi-photon pulses. However, the adversarial nature of the parties in private 
queries means these techniques cannot be applied directly as they require cooperation between the legitimate 
parties. Adapting these protocols for private queries is an interesting open question. Another possibility for 
security with weak coherent pulses is for Dave to account for the additional information that can be extracted 
from multi-photon pulses, which is well studied in the context of QKD, when selecting the error-correcting code. 
If this information gain due to multi-photon pulses is sufficiently small, the protocol can provide a suitable level 
of database security while maintaining a high success probability for the user. 



CHEATING STRATEGIES 



In this section we discuss the attacks on individual qubits proposed in [21|, |22j ■ The discussion below shows that 
the error correction step provides improved security for the protocol against these individual attacks. Optimization 
of collective attacks in view of error correction remains an interesting open question, as does an analysis of fully 
general quantum attacks or an information theoretic treatment of our protocol. Furthermore, we comment on the 
issue of error rate estimation between adversarial parties. As example cases for these discussions, we consider the 
mean parameters measured with p = 0.95 ± 0.47 using standard detectors and the simulated parameters for low-noise 
detectors (see Tabic 1 in the main text). For the measured parameters, we do not consider the observed variances 
since they are specific to the system used to implement the honest protocol. 



User Privacy 

Let us first consider an attempt by the database to determine which piece of information Ursula is interested 
in. Recall that our protocol does not prevent a dishonest database from gaining some information about Ursula's 
query, but is cheat sensitive in that it gives Ursula the possibility of detecting such an attack. Performing the attack 
described below does not require any additional technology, as it simply requires Dave to send quantum states that 
either maximize or minimize the probability, p c , that Ursula will believe her measurement was conclusive plj . In 
order to determine Ursula's query, Dave seeks to have Ursula learn only a single bit of the oblivious key whose position 
is known to him, thus he maximizes p c for the k bits that form one oblivious key bit in an attempt to convince Ursula 
that she knows a particular bit of the oblivious key of his choice. He then minimizes p c elsewhere in an attempt to 
prevent Ursula from knowing other bits in the oblivious key, in positions unknown to him. As noted in [22| . Dave's 
ability to control p c improves as the angle between the 0-basis and 1-basis, 8, is decreased, making the attack more 
powerful. However, in both cases (i.e. maximization or minimization of p c ), the quantum state Dave sends for this 
attack lies directly between either pair of ip or <f> states shown in Figured! and thus Ursula will associate a bit value to 
the measurement that is completely unknown to Dave. Hence, under this attack, Ursula receives a random bit value 
in response to her query, leading to the cheat sensitive property in [2ll . |22| (and in our protocol) , where incorrect 
query results will reveal Dave's dishonest behavior (i.e. over time, Dave will acquire a reputation of providing poor 
query results). 

Furthermore, in our protocol the error correction steps provide additional opportunities for Ursula to verify Dave's 
honesty, both weakening the above attack as well as providing the possibility of detecting the weakened attack prior 
to Ursula revealing information about her query. Specifically, the consequence of Dave sending quantum states that 
minimize p c (in order to prevent Ursula from knowing one or more bits of the oblivious key in random positions) is that 
Ursula's and Dave's sifted keys arc completely uncorrclated (i.e. they have error rates e c = e\ = 50%). Additionally, 
since Dave has no knowledge of Ursula's sifted key, the parity bits, pj (sec Eq. [I]), that he sends for error correction 
will be completely uncorrclated with the parity bits Ursula computes from her measurement results. This allows 
Ursula to detect a cheating database, and abort the protocol. While this severely restricts Dave's ability to ensure 
that Ursula does not know bits of the oblivious key in random positions, it does not prevent him from attempting 
to convince Ursula that she knows a bit in a particular position of his choosing in addition to any bits she learns 
randomly (in this case, Dave is unsure if Ursula's query corresponds to the position where he conducted the attack, or 
to an unknown position that Ursula learned randomly) . This is due to the fact that Dave only needs to maximize p c 
in k bits out of kN bits of the sifted key, which has a negligible effect on the overall error rates for large N. However, 
this attack has a limited success probability, and if it fails, it may fail in a way that is suspicious to Ursula, again 
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allowing Ursula to abort the protocol (see below for a detailed example). Note that the above verifications occur after 
the error correction step, but before the shift value is communicated, thus Dave gains no information about Ursula's 
query if the protocol is aborted. 

To illustrate the possibility for Ursula to detect an attempt by Dave to convince her a particular bit is known, 
we consider the parameters as discussed above. For k = 10 and 8 = 35.6°, there is a 37.49% chance that Ursula 
will believe all k bits are conclusive given this attack. For k = 9 and 8 — 25°, this probability increases to 64.93%. 
However, for Dave to convince Ursula that she knows a particular bit of the oblivious key, it is not sufficient for her 
to believe that all k bits are conclusive, as the error correction procedure must also indicate that her measurement 
results are correct or correctable (i.e. the error correction procedure results in a error probability < %, where we 
recall that we have selected % = 10 -3 as the threshold where Ursula considers a bit to be known). The attack thus 
becomes more difficult with error correction, since the database must also send parity information to Ursula that is 
consistent with her measurements. Since Dave's bit values are completely uncorrelated with Ursula's measured bit 
values, the parity information that Dave sends is essentially random, and Ursula is unlikely to find a low value for 
ek. In the above examples, Ursula finds ek < 10~ 3 with only 5.92% probability and 12.73% probability, respectively, 
showing that this attack has a limited success probability. In addition, the case where Ursula believes all k bits were 
measured conclusively is of particular interest as it is very unlikely that she will find a large probability of error in 
the oblivious key bit after error correction, ek, if the protocol was performed honestly However, in the above attack, 
Dave must send parity information that is uncorrelated with Ursula's measurement results, leading to a large amount 
of uncertainty during Ursula's error correction process and resulting in a high probability of finding a large value for 
ek- For example, when Ursula believes all k bits were measured conclusively, for k — 10 and 8 = 35.6°, she expects 
ek > 0.15 with 2.14% probability if Dave is honest, but this increases to 40.63% given the above attack. For k = 9 
and 8 = 25°, she expects ek > 0.055 with 0.71% probability when honest, and 65.63% with the attack. A large value 
for ek when all k bits are measured conclusively can thus serve as an indication that Dave is attempting to cheat, and 
allow Ursula to abort the protocol. Furthermore, even if the protocol proceeds and Dave is cheating (e.g. because 
Dave, by chance, sent consistent parity information), Ursula's and Dave's oblivious key bits after error correction 
are still uncorrelated, as in the protocol of [HI This ensures that the cheat sensitive property of the protocols 
in [21], [111 discussed above is preserved in our protocol. 

Generally speaking, we note that the additional benefits provided by the error correction procedure are relevant 
to other attack strategies as well. Ursula now has the ability to monitor the aggregate error rates in the system, 
allowing her to detect any attack by Dave that has a significant effect on the overall error rates. Furthermore, the 
need for the database to be able to send meaningful parity information during error correction provides an additional 
hurdle for attacks that cause Dave to lose information about Ursula's measurement results. 



Database Privacy 



On the other hand, a user attacking the protocol seeks to learn as many bits from the database as possible. One 
method of doing so is to store the photons from Dave in a quantum memory until after he reveals whether he sent 



a -0 or 4> state, and then perform an unambiguous state discrimination (USD) measurement [40l . |4l| to distinguish 
which of the two remaining states was sent. However, as Dave only reveals information about a quantum state after 
Ursula has declared that a photon has been detected, every photon that a dishonest Ursula declares as "detected" 
contributes to her sifted key As such, any photon that Ursula declares as "detected" but subsequently fails to detect 
(e.g. because she could not identify when a photon was successfully stored in her quantum memory, or because of 
losses occurring after the declaration) results in bits in the sifted key of which Ursula has no knowledge. Successfully 
performing an USD attack thus requires a heralding signal indicating that a photon was successfully stored in the 
quantum memory, and the ability to recall the photon from the quantum memory with near 100% efficiency. For 
the following analysis, we assume a heralding signal in conjunction with a perfect quantum memory (i.e. one that 
introduces no error into the quantum states, and has 100% efficiency; a realistic quantum memory would reduce the 
effectiveness of the attack), and that there are no other sources of loss that reduce the success probability of the USD 
measurement. 

If Ursula is able to perform an USD measurement, this allows her to maximize the probability that the quantum 
measurements will give conclusive results. As shown in fill ], the probability of conclusive results increases only 
slightly when performing USD measurements, resulting in the user only learning a few more bits than when making 



honest measurements. Furthermore, the advantage decreases as 8 is decreased [221 ]. Additionally, in the presence 



of error correction, the advantage of performing an USD measurement further decreases. This is because the USD 
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TABLE III. Comparison of simulation results for a user experiencing higher error rates than those that Dave uses to select 
an error-correcting code. The columns labeled "user" correspond to experimental results obtained using standard detectors 
(9 = 35.6°, k = 10), or simulation results with improved detectors (6 = 25°, k = 9), as taken from Tables 1 and 2 of the main 
text, and represents the actual results of the protocol. The columns labeled "database" represent the potential results of the 
protocol, based on an error rate estimation considering only noise at the database. 





6 = 35.6°, k = 10 


6 = 25°, k = 9 




user 


database 


user 


database 


Pc (%) 


16.1 


15.9 


9.22 


9.14 


e c (%) 


4.4 


2.5 


1.91 


1.38 


ei (%) 


41.24 


40.89 


45.12 


45.11 


n (bits) 


3.89 


14.32 


4.35 


10.67 


fh (%) 


6.03 


6.69 


0.96 


0.93 



measurement gains no information from inconclusive results, essentially exchanging this information for an increased 
probability of obtaining a conclusive result. However, the partial information from inconclusive results is useful 
during error correction, and can even allow Ursula to know the value of the oblivious key bit in some instances 
in which not all measurements were conclusive. As such, error correction can hinder the effectiveness of the USD 
attack. Performing USD measurements when using the code with k — 10 and 9 = 35.6° only increases the average 
number of bits the user knows from n = 3.89 to h = 11.15 — a rather small gain for a database of 10 6 bits. For the 
code using k = 9 and 8 = 25°, performing USD measurements decreases the average number of bits the user knows 
from n = 4.35 to n = 1.00. This decrease is due to the fact that at this smaller value of 9, the value of the partial 
information gained from inconclusive measurements outweighs the slightly improved probability for a conclusive 
measurement offered by the USD measurement. Note that these results are based on having the same error rate as for 
the honest measurements, which may not be a realistic assumption given that a different measurement apparatus is 
required. The issue of error rates differing from those used to select the error-correcting code is addressed separately 
below so as to isolate this effect from that of the USD measurement. 



Error rate estimation 

Finally, since Ursula and Dave have an adversarial nature in the private query protocol, accurately characterizing 
the error rate in the system in order to select an error-correcting code is not straightforward. In particular, Ursula 
would like the database to believe the error rate is higher than in reality, as Dave would then select an error-correcting 
code that gives her more information, allowing her to learn more bits from the database. To avoid this problem, Dave 
can determine the amount of information a user will learn from the protocol based solely on the error introduced 
by devices directly under his control. In fact, he can even choose to deliberately introduce additional noise in order 
to provide the desired level of database security. Additional imperfections in the system would cause the user to 
experience a higher error rate than Dave's estimate, leading to her learning fewer bits than the database predicts. To 
show that there is a regime that allows the protocol to succeed from the user's perspective while still providing good 
database security, we re-examine the error-correcting codes that we have considered thus far using the parameters 
shown in the columns labeled "database" in Table IIII1 where noise in the system has been reduced compared to the 
original parameters in the main text (shown in the columns labeled "user"). Note that the effect of the lower noise 
observed by the database is not just a lower error rate in the conclusive measurements, e c , in the "database" columns 
- the other parameters are affected as well. The error rates for inconclusive measurements, ei, is affected by the 
same noise sources as e c , but the effect on e\ is smaller as the error for inconclusive measurements is dominated by 
uncertainty inherent in the quantum measurement. Hence, e\ in the "database" columns is only slightly lower than 
in the "user" columns. The total number of conclusive results is reduced slightly as the number of conclusive results 
recorded due to noise events is lower. Hence, the probability of conclusive measurements, p c , is lowered slightly in 
the "database" columns. Table IIIII also shows the results for the average number of bits learned by the user, n, 
and the average proportion of the database where Dave considers Ursula to have significant partial information, to, 
for the original parameters in the "user" columns, as well as for a lower error rate that can be used to select the 
error-correcting code in the "database" columns. As can be seen, the reduction in error rates does not result in a 
large increase in the potential amount of information gained by a user who experiences no additional error. Thus, 
it is possible for an error-correcting code to be selected based on local error rates to both provide the database with 
good security and allow the protocol to be successful for a user experiencing higher error rates. 
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